How to Use Private NuGet Feed with Docker Build

Especially on Windows Containers

Posted by admin on May 29, 2024

Private NuGet Repository

You can use a private NuGet repository in your docker build process. The best, most deterministic way to do this is to add a NuGet.config file to your repository with details.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <clear />
        <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
        <add key="myfeed" value="https://www.davidpuplava.com/nuget/index.json" />
    </packageSources>
    <disabledPackageSources />
</configuration>

Consider the following Dockerfile for building an ASP.NET web application. This work if your NuGet repository does not require authentication.

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build-env
LABEL stage=build-env

WORKDIR /app

# Copy and build
COPY ./src /app
COPY ./NuGet.config /app
RUN dotnet publish /app/MyApp.Web -c Release -o ./build/release --framework net8.0

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:8.0
EXPOSE 80
ENV ASPNETCORE_URLS http://+:80
WORKDIR /app
COPY --from=build-env /app/build/release .
ENTRYPOINT ["dotnet", "MyApp.Web.dll"]

Accessing Securely

If your private NuGet feed requires authentication, you have a few options for how docker build can authenticate with your feed. One options is to store the credentials in plain text in the NuGet.config file but this is not very secure. Plus your intermediate layers from your docker build process will store this information.

You can environment variables to pass this information into your docker build process without storing secrets in your NuGet.config file.

You can take advantage of NuGet's default environment variable support NuGetPackageSourceCredentials_<package-name> where <package-name> is the name of your private repository. When this environment variable is set, NuGet will automatically use it for authentication to that repository.

The formation for the value of the environment variable is Username=...;Password=...;. You can also add ValidAuthenticationTypes=Basic if you desire. You'd do this if you want to explicitly control how NuGet should authenticate against your repository.

Consider the following example.

Username=myfeed-pat;Password=SuperSecretPWD!;ValidAuthenticationTypes=Basic

To configure, open Window's System Environment variables and click "New...". Enter the special environment variable name, and value.

In our working example we have a private NuGet repository named myfeed that is accessed with a personal access token username/password of myfeed-pat/SuperSecretPWD!.

Use Environment Variables in Docker Build

After you configure your environment variable, you can use it in your Dockerfile by adding these two lines. The first line adds an argument to your docker build file. The second line assigns that argument value to your docker build's environment variable context.

ARG NuGetPackageSourceCredentials_myfeed
ENV NuGetPackageSourceCredentials_myfeed=$NuGetPackageSourceCredentials_myfeed

Here is the final Dockerfile using envinroment variables to authenticate against a secured private NuGet repository.

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build-env
LABEL stage=build-env

ARG NuGetPackageSourceCredentials_myfeed

WORKDIR /app

# Copy and build
COPY ./src /app
COPY ./NuGet.config /app
ENV NuGetPackageSourceCredentials_myfeed=$NuGetPackageSourceCredentials_myfeed
RUN dotnet publish /app/MyApp.Web -c Release -o ./build/release --framework net8.0

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:8.0
EXPOSE 80
ENV ASPNETCORE_URLS http://+:80
WORKDIR /app
COPY --from=build-env /app/build/release .
ENTRYPOINT ["dotnet", "MyApp.Web.dll"]

Passing Credentials

You can now pass your build server's environment variable into docker build to set the docker build processes environment variable during the build process with --build-arg.

Here is the docker build command.

docker build -f .\Dockerfile -t davidpuplava.com/nuget --build-arg NuGetPackageSourceCredentials_myfeed=$($Env:NuGetPackageSourceCredentials_myfeed) .

Summary

You can securely access a private NuGet repository with docker build using environment variables to avoid storing secrets in source control.

If you found value in this post, consider following me on X @davidpuplava for more valuable information about Game Dev, OrchardCore, C#/.NET and other topics.